Sean Gallagher wrote: > On 27/07/2023 5:57 pm, Ondřej Kuzník wrote: >> I'm not sure what you're trying to achieve here. Why do you want to >> distinguish different kinds of anonymous clients? > > My clients are very asymmetric. Each has a particular job to do, and a > particular set of operations to perform on the database. I was trying to > restrict access > for each client, to just what was needed for it to perform it's task. Then if > one client is compromised, damage can be (more) contained. > > As it stands, before a bind, all (IP) clients look the same (Apart from the > IP address) - and so all clients need "auth" access to all other clients > credentials.
That is all false. No auth privileges are needed to perform a SASL EXTERNAL Bind. > If any client is granted some pre-bind rights, all clients get those same > rights. One compromised client makes all clients vulnerable. This is not > necessary. The exact same is true with what you've proposed. > slapd _knows_ the identity of each client, it's just a matter of exposing it > to the ACL rules. It's not even without precedent, the sasl_ssf is > exposed to the ACL rules before a bind, why not other properties of the sasl > state? > > Anyway, this is just a "nice to have" idea, the real-life effect this would > have on security is pretty minimal. It's just frustrating when I have to > weaken > access controls to do things the "right" way.. All you're doing is inventing a new authentication mechanism instead of using one that already exists. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
